In many network environments, illegal or unauthorized users may exploit vulnerabilities in the network to gain access, deny access, or otherwise attack systems in the network. As such, to detect and remediate such network vulnerabilities, existing network security systems typically conduct vulnerability analysis in the network through manual inspection or network scans. For example, conventional network scanners (or “active vulnerability scanners”) typically send packets or other messages to various devices in the network and then audit the network with information contained in any response packets or messages received from the devices in the network. Accordingly, physical limitations associated with the network typically limit the effectiveness for active vulnerability scanners because only devices that can communicate with the active vulnerability scanners can be audited, while actively scanning networks distributed over large areas or having large numbers of devices may take long amounts of time. For example, in a network that includes multiple routers, hosts, and other network devices, an active vulnerability scanner would typically have to send packets that traverse several routers to scan the hosts and other network devices, some of which may be inactive and therefore inaccessible to the active vulnerability scanner. Further, in scenarios where one or more of the routers have firewalls that screen or otherwise filter incoming and outgoing traffic, the active vulnerability scanner may generate incomplete results because the firewalls may prevent the active vulnerability scanner from auditing hosts or other devices behind the firewalls.
Furthermore, active vulnerability scanners typically create audit results that become stale over time because the audit results describe a static state for the network at a particular point in time. Thus, an active vulnerability scanner would likely fail to detect that hosts have been added or removed from the network following a particular active scan, whereby the audit results that active vulnerability scanners create tend to steadily decrease in value over time as changes to the network occur. Furthermore, active vulnerability scanners can have the tendency to cause network disruptions during an audit. For example, probing network hosts or other devices during an audit performed by an active vulnerability scanner may result in communication bottlenecks, processing overhead, and instability, among other potential problems in the network. Thus, deployment locations, configurations, and other factors employed to manage networks can often interfere with obtaining suitable network auditing results using only active vulnerability scanners.
As such, existing systems that tend to rely entirely on active vulnerability scanners typically prevent the active vulnerability scanner from obtaining comprehensive information that describes important settings, configurations, or other information associated with the network. In particular, malicious or unauthorized users often employ various techniques to obscure network sessions during an attempted breach, but active vulnerability scanners often cannot detect real-time network activity that may provide indications that the attempted breach is occurring. For example, many backdoor and rootkit applications tend to use non-standard ports and custom protocols to obscure network sessions, whereby intruders may compromise the network while escaping detection. Thus, many active vulnerability scanners can only audit the state of a network at a particular point in time, but suitably managing network security often requires further insight relating to real-time activity that occurs in the network. Accordingly, although active vulnerability scanners typically employed in existing network security systems can obtain certain information describing the network, existing systems cannot perform comprehensive security audits to completely describe potential vulnerabilities in the network, build models or topologies for the network, or derive other information that may be relevant to managing the network.
Furthermore, in many instances, certain hosts or devices may participate in sessions occurring on the network, yet the limitations described above can prevent active vulnerability scanners alone from suitably auditing the hosts or devices. As such, various existing network security systems employ one or more passive vulnerability scanners in combination with active vulnerability scanners to analyze traffic traveling across the network, which may supplement the information obtained from the active vulnerability scanners. However, even when employing passive vulnerability scanners in combination with active vulnerability scanners, the amount of data returned by the active vulnerability scanners and the passive vulnerability scanners can often be quite substantial, which can lead to difficulties in administrating the potentially large number of vulnerabilities and assets in the network. For example, many network topologies may include hundreds, thousands, or even larger numbers of nodes, whereby suitably representing the network topologies in a manner that provides visibility into the network can be unwieldy. More particularly, in an ideal world all vulnerabilities identified in a network would be patched in real-time, but most organizations tend to have limited resources and must rely on scheduled patch deployment, which may lead to difficulties in identifying high-value network clients that are subject to network attacks and servers (potentially already fully patched) that are managed with high-risk clients.
However, traditional network modeling solutions tend to suffer from various drawbacks that limit abilities to model network configurations and vulnerabilities. For example, a Windows 2008 system may be fully patched but administered from a desktop that surfs the Internet and that has an unpatched web browser or other exploitable client software, which may raise network vulnerabilities that could escape detection under the techniques employed with existing network security systems. In another example, configurations associated with firewalls, routers, switches, and other traffic management systems may be unavailable or outdated in certain cases, in which case any vulnerability modeling may fail to reflect a current network configuration state. Moreover, many networks have flat configurations in which every system can access every other system from inside a firewall, which raises substantially different issues from a flat network in which only a small subset of systems (e.g., administrators) can access key servers. Further still, current exploit and vulnerability modeling systems tends to be server-centric and therefore only model server exploits and vulnerabilities rather than combinations of client-side and server-side exploits and vulnerabilities.
Accordingly, a need exists for a network security system that can leverage active and passive vulnerability discovery to identify services, client software, trust relationships, and other weak points in a network that may represent remotely and/or internally exploitable vulnerabilities, and a further need exists for a network security system that can simulate attacks paths that may be used to potentially exploit vulnerable services, client software, trust relationships, and other weak points in a network.